Re: [freenet-support] Re: Stunnel Freenet
The truly parnoid could use a ssh tunnel to link their node to only a few trusted nodes. ~Paul On Fri, 16 Jul 2004 14:03:37 + (UTC), phil [EMAIL PROTECTED] wrote: Toad [EMAIL PROTECTED] writes: No. All inter-node communications are encrypted. Separately, all data is encrypted at the file level. OK welcome to blab-out-my-arse-ville!! I'm glad to be corrected clearly need to study-up on freenet more. Thanks for your patience. I don't see that it's relevant to the legal issue at stake.. I guess the point was that the cache on its own never used to be enough, and the apparent trend toward further loosening of evidence standards. Some of them are referring to running a node, and then analysing the requests that come in. This is difficult, as demonstrated above and for other reasons, but especially with splitfiles, it is not impossible. Also there may be traffic analysis vulnerabilities, with a sufficiently smart and powerful attacker. Any ideas about how much 'not impossible'? Thanks again, amphibian one. ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED] ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-support] Re: Stunnel Freenet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mika Hirvonen wrote: [...] | case, you'll be better off running an another node locally. Speaking of which: I am leaving Freenet running on my router, in the hopes that FProxy will eventually start responding, and that when it does, it will eventually run faster. Would it be worthwhile to also run a transient node on my local machine, instead of using FProxy on the router? (There's only one switch between them, and if I can't trust my own network hardware, what can I trust?) How certain can I be that it will find the router as a (very close) peer node? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQPebnngHNmZLgCUhAQLobA//RFvMQm/bOIuqQA1Hi21krMMyhB8vAsSE s27A27oKzC7BZINYJoM28+Do0bR/RGPRI3yNgznoUKXk/PDZqvHX8vKPQFGFRjdz VndyM4mOD3lIjgsH19zIO1oPAwoYtL4Nv03X/xwwbhREW+qN/y9v6S512EldCJzf sOcKogT7EKVlvCp9vAITw74ikNldYPkpg/z3silsVmvcZAGglRvL/qQ7AoJcYe/7 G7oHlqcxOxc41SDVQTSmy/z/eyEymMcOmhOzsQyAlvEqRWqDEAyFDv0AjnOt11LS tbSa2IoFYg35sFOtMTPhs0j7AFZC6FTbBVhyX4PFrKUKboF9OtcplOKVTRhRJZdP 8bFcOKKyyLqNjCTykoT5WV+3N53e8JARdKECJatqf65ol8eGVMlNQOKprwDbuwVU lrSsqVCaR8QRTRfWPOYsEM2biqK8ysqSuBbAYyvYFicH/Ijf8eYRjPIA4YhS8LMt 5LD9YjoqVhdRtDh3Q4cxTdbV3iz6n/BlypbB/hOItkoeahr1b3IZXzFxXZ6FXzYk 4V5TPZ+X5fmnMhPeNtSuhp7olrp7o033xrWBJEiFScxlnPrRCexHRyAEtOa21lF8 KE/lrSc0TQIIPOkvgA2Yh1/6oFb8FXlH26pe2+bGsZpBTCUUzU0f8XLAYOM+m1NU jcm7A7Q+eUM= =d+jW -END PGP SIGNATURE- ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
[freenet-support] Re: Stunnel Freenet
David Masover writes: I am leaving Freenet running on my router, in the hopes that FProxy will eventually start responding, and that when it does, it will eventually run faster. Would it be worthwhile to also run a transient node on my local machine, instead of using FProxy on the router? (There's only one switch between No. The nodes would end up fighting for bandwidth. If your local machine is vastly superior to your router, you should set up port forwarding (if you need it) and run your node on your local machine instead of running it on your router. them, and if I can't trust my own network hardware, what can I trust?) How certain can I be that it will find the router as a (very close) peer node? In theory (and practice, according to Kenman's tests), NGRouting favors fast nodes, but due to request intervals, the local node will also contact other nodes. -- Mika Hirvonen [EMAIL PROTECTED] http://nightwatch.mine.nu/ Get Freenet from: http://cs181027153.pp.htv.fi:8891/J0~0J7ajDJE/ ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
[freenet-support] Re: Stunnel Freenet
sysrq [EMAIL PROTECTED] writes: I believe he was refering to someone on listening on your connection so that they could see what you are inserting and browsing on freenet. That's what I was saying. People seem to be under the impression that everything is encrypted. It is NOT. This means, for example, someone monitoring your connection might compare requests entering your node with requests exiting etc in order to determine that you are the originator of a request for a key to a certain freesite. In some jurisdictions, now, that could easily be enough to justify all kinds of further action. Since the list of IPs running nodes is freely published information, all an attacker with access has to do is target a suspect node. And, thanks to post-9/11 legislation, I'm not sure they even need a court order or warrant to do this in many countries anymore. Going even further, I know that in at least one juridiction a court decided that a log or similar record (eg key request) is sufficient evidence for proving that a computer event had occurred. Who knows, this might conceivably extend to downloading or inserting a freesite(?). Furthermore, I know that in New Zealand a person no longer has to actually save a prohibited file to their hard media to break the law. A senior court there, turning over a well-known and important UK precedent, ruled that merely viewing an illegal website was sufficient to break the law. Put all the above together and smell the coffee. ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-support] Re: Stunnel Freenet
On Fri, Jul 16, 2004 at 10:57:54AM +, Phil wrote: sysrq [EMAIL PROTECTED] writes: I believe he was refering to someone on listening on your connection so that they could see what you are inserting and browsing on freenet. That's what I was saying. People seem to be under the impression that everything is encrypted. It is NOT. Yes, it is. What precisely is not encrypted?: 1. The web interface, on HTTP usually port . If the attacker can see this, you're screwed anyway, because they have a trojan installed with access to your node, your browser and so on. 2. The FCP interface, which is used by local clients. DITTO! 3. The datastore is not superencrypted. This is not a transport issue. This means, for example, someone monitoring your connection might compare requests entering your node with requests exiting etc in order to determine that you are the originator of a request for a key to a certain freesite. In some jurisdictions, now, that could easily be enough to justify all kinds of further action. There are plenty of technical measures to prevent this; one is the encryption of ALL node to node links. Since the list of IPs running nodes is freely published information, all an attacker with access has to do is target a suspect node. And, thanks to post-9/11 legislation, I'm not sure they even need a court order or warrant to do this in many countries anymore. Hehe, since BEFORE 9/11, interception warrants in the UK are issued by the police, for the police, and supervised by a small group of civil servants. ;) Going even further, I know that in at least one juridiction a court decided that a log or similar record (eg key request) is sufficient evidence for proving that a computer event had occurred. Who knows, this might conceivably extend to downloading or inserting a freesite(?). Furthermore, I know that in New Zealand a person no longer has to actually save a prohibited file to their hard media to break the law. A senior court there, turning over a well-known and important UK precedent, ruled that merely viewing an illegal website was sufficient to break the law. That's unpleasant. Here, the defence of accidentally visiting a child porn site is quite viable. Or at least, senior police say it is. If you repeatedly visit them over time, or worse yet, pay for them, then of course you're in trouble. Put all the above together and smell the coffee. There are vulnerabilities, of course. But none as obvious as not encrypting inter-node traffic. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-support] Re: Stunnel Freenet
On Fri, Jul 16, 2004 at 01:01:23PM +0300, Mika Hirvonen wrote: David Masover writes: In theory (and practice, according to Kenman's tests), NGRouting favors fast nodes, but due to request intervals, the local node will also contact other nodes. In theory, it also favours WORKING nodes. :) -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-support] Re: Stunnel Freenet
David Masover wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mika Hirvonen wrote: [...] | case, you'll be better off running an another node locally. Speaking of which: I am leaving Freenet running on my router, in the hopes that FProxy will eventually start responding, and that when it does, it will eventually run faster. Would it be worthwhile to also run a transient node on my local machine, instead of using FProxy on the router? (There's only one switch between them, and if I can't trust my own network hardware, what can I trust?) How certain can I be that it will find the router as a (very close) peer node? I think you can run another node on you machine(not the router), give it only one ref which is your node on the router in its seednodes.ref file. That way you can do all the FCP work on ur local machine (hopefully it's safe). -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQPebnngHNmZLgCUhAQLobA//RFvMQm/bOIuqQA1Hi21krMMyhB8vAsSE s27A27oKzC7BZINYJoM28+Do0bR/RGPRI3yNgznoUKXk/PDZqvHX8vKPQFGFRjdz VndyM4mOD3lIjgsH19zIO1oPAwoYtL4Nv03X/xwwbhREW+qN/y9v6S512EldCJzf sOcKogT7EKVlvCp9vAITw74ikNldYPkpg/z3silsVmvcZAGglRvL/qQ7AoJcYe/7 G7oHlqcxOxc41SDVQTSmy/z/eyEymMcOmhOzsQyAlvEqRWqDEAyFDv0AjnOt11LS tbSa2IoFYg35sFOtMTPhs0j7AFZC6FTbBVhyX4PFrKUKboF9OtcplOKVTRhRJZdP 8bFcOKKyyLqNjCTykoT5WV+3N53e8JARdKECJatqf65ol8eGVMlNQOKprwDbuwVU lrSsqVCaR8QRTRfWPOYsEM2biqK8ysqSuBbAYyvYFicH/Ijf8eYRjPIA4YhS8LMt 5LD9YjoqVhdRtDh3Q4cxTdbV3iz6n/BlypbB/hOItkoeahr1b3IZXzFxXZ6FXzYk 4V5TPZ+X5fmnMhPeNtSuhp7olrp7o033xrWBJEiFScxlnPrRCexHRyAEtOa21lF8 KE/lrSc0TQIIPOkvgA2Yh1/6oFb8FXlH26pe2+bGsZpBTCUUzU0f8XLAYOM+m1NU jcm7A7Q+eUM= =d+jW -END PGP SIGNATURE- ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED] -- Best regards, Weiliang Zhang ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
[freenet-support] Re: Stunnel Freenet
Yes, it is. What precisely is not encrypted?: I was under the impression that key requests themselves were not encrypted and might be matched by a determined eavesdropper to eg a requested known nasty freesite (which is encrypted)? There are plenty of technical measures to prevent this; one is the encryption of ALL node to node links. ie what I was asking about. Hehe, since BEFORE 9/11, interception warrants in the UK are issued by the police, for the police, and supervised by a small group of civil servants. ;) I'm not surprised, hehe. I mean, why bother with civil liberties and all that? Such a nuisance. As Orson Wells ( I think it was) said: Police work is only easy in a police state (or something like that). That's unpleasant. Here, the defence of accidentally visiting a child porn site is quite viable. Accidental might be ok in NZ? What the NZ decision referred to was the difference between content only in the eg browser cache versus the accused's intentional act of saving to disc. The former never used to be sufficient evidence on its own - there needed to be (mens rea) intentionality demonstrated by eg saving to disc (or I suppose sufficient downloads). But then they decided that intentional looking was enough on its own. These decisions have a habit of migrating, might've already. Anyway I didn't intend to limit the issue to pathetic kiddy/p. The same legal principles could be applied to any number of unacceptable materials, and let's not forget civil suits either where the burden of proof is usually easier. It's this general trend in the user's legal accountabilty for data requests that can be used to achieve many ends. Put all the above together and smell the coffee. There are vulnerabilities, of course. But none as obvious as not encrypting inter-node traffic. I certainly hope I was blabbing out my arse and something like Stunnel would be redundant because there is no way of eavesdropping on a single node over time to match requests to known freenet data?? If so, why do papers on freenet always mention local eavesdropping as exposing? BTW, how does Open SSL compare with freenet tunneling? ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
[freenet-support] Re: Stunnel Freenet
Perhaps I was looking at something old? EVENTUALLY? We have encrypted all inter-node traffic since 0.4! ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-support] Re: Stunnel Freenet
On Fri, Jul 16, 2004 at 12:47:42PM +, phil wrote: Yes, it is. What precisely is not encrypted?: I was under the impression that key requests themselves were not encrypted and might be matched by a determined eavesdropper to eg a requested known nasty freesite (which is encrypted)? No. All inter-node communications are encrypted. Separately, all data is encrypted at the file level. For example, a typical key: CHK@blah blah 1,blah blah 2. blah blah 1 is the routing key, which is the hash of the encrypted data. This is known to the node. blah blah 2 is the decryption key, which is ONLY known to the requestor. You have to have both. There are plenty of technical measures to prevent this; one is the encryption of ALL node to node links. ie what I was asking about. Hehe, since BEFORE 9/11, interception warrants in the UK are issued by the police, for the police, and supervised by a small group of civil servants. ;) I'm not surprised, hehe. I mean, why bother with civil liberties and all that? Such a nuisance. As Orson Wells ( I think it was) said: Police work is only easy in a police state (or something like that). That's unpleasant. Here, the defence of accidentally visiting a child porn site is quite viable. Accidental might be ok in NZ? What the NZ decision referred to was the difference between content only in the eg browser cache versus the accused's intentional act of saving to disc. The former never used to be sufficient evidence on its own - there needed to be (mens rea) intentionality demonstrated by eg saving to disc (or I suppose sufficient downloads). But then they decided that intentional looking was enough on its own. These decisions have a habit of migrating, might've already. I don't see that it's relevant to the legal issue at stake.. If somebody has hundreds of pages of KP in his browser cache, he's probably liable, even if he didn't save any of it to disk, for obvious reasons. Anyway I didn't intend to limit the issue to pathetic kiddy/p. The same legal principles could be applied to any number of unacceptable materials, and let's not forget civil suits either where the burden of proof is usually easier. It's this general trend in the user's legal accountabilty for data requests that can be used to achieve many ends. Put all the above together and smell the coffee. There are vulnerabilities, of course. But none as obvious as not encrypting inter-node traffic. I certainly hope I was blabbing out my arse and something like Stunnel would be redundant because there is no way of eavesdropping on a single node over time to match requests to known freenet data?? If so, why do papers on freenet always mention local eavesdropping as exposing? Some of them are out of date. Some of them are referring to running a node, and then analysing the requests that come in. This is difficult, as demonstrated above and for other reasons, but especially with splitfiles, it is not impossible. Also there may be traffic analysis vulnerabilities, with a sufficiently smart and powerful attacker. BTW, how does Open SSL compare with freenet tunneling? It's different, but similar. Every node has a public key which is used in setting up a connection. You can only connect to a node if you know the key, just as you can only decrypt data if you know the key. In both cases you usually get a new key from old nodes or old data. -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
[freenet-support] Re: Stunnel Freenet
Toad [EMAIL PROTECTED] writes: No. All inter-node communications are encrypted. Separately, all data is encrypted at the file level. OK welcome to blab-out-my-arse-ville!! I'm glad to be corrected clearly need to study-up on freenet more. Thanks for your patience. I don't see that it's relevant to the legal issue at stake.. I guess the point was that the cache on its own never used to be enough, and the apparent trend toward further loosening of evidence standards. Some of them are referring to running a node, and then analysing the requests that come in. This is difficult, as demonstrated above and for other reasons, but especially with splitfiles, it is not impossible. Also there may be traffic analysis vulnerabilities, with a sufficiently smart and powerful attacker. Any ideas about how much 'not impossible'? Thanks again, amphibian one. ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-support] Re: Stunnel Freenet
On Fri, Jul 16, 2004 at 02:03:37PM +, phil wrote: Toad [EMAIL PROTECTED] writes: No. All inter-node communications are encrypted. Separately, all data is encrypted at the file level. OK welcome to blab-out-my-arse-ville!! I'm glad to be corrected clearly need to study-up on freenet more. Thanks for your patience. Hehe. When you do learn, you could contribute, on http://freenethelp.org/ :) I don't see that it's relevant to the legal issue at stake.. I guess the point was that the cache on its own never used to be enough, and the apparent trend toward further loosening of evidence standards. Some of them are referring to running a node, and then analysing the requests that come in. This is difficult, as demonstrated above and for other reasons, but especially with splitfiles, it is not impossible. Also there may be traffic analysis vulnerabilities, with a sufficiently smart and powerful attacker. Any ideas about how much 'not impossible'? Thanks again, amphibian one. ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED] -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-support] Re: Stunnel Freenet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Weiliang Zhang wrote: | David Masover wrote: | Mika Hirvonen wrote: | [...] | | case, you'll be better off running an another node locally. | | Speaking of which: | | Would it be worthwhile to also run a transient node on my local machine, | instead of using FProxy on the router? (There's only one switch between | them, and if I can't trust my own network hardware, what can I trust?) | How certain can I be that it will find the router as a (very close) peer | node? | | I think you can run another node on you machine(not the router), give it | only one ref which is your node on the router in its seednodes.ref file. | That way you can do all the FCP work on ur local machine (hopefully it's | safe). How do I do this? I'm not finding seednodes.ref particularly easy to read. Can someone give me a template? Or even do all the work for me - -- router is 10.0.0.1 :P -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQPg3mngHNmZLgCUhAQJ/DQ/9GiurQP/X+ELfrsqjrtLgI1eBYKwL/oFi xEeXeFGNAAfAuoRViWTaT237SIVxD7p2/y7eUuldmocE4khpThROCdPS/+zGB11/ lfUHNjDJk7+J8wvtD++ZNxRMSUJu0gKoiyePFykE18XjAJUzpClWo0nRWIhtSDZx K+uKlDVH2FOxcqws0kzX56tOKEvxBhMvwYWaW1uNzWMfeBfEA+/yUySo/nqzBxMd Cq7iZLVanNMKyDBszcRgI/QHo6V6/2DsHkdhVq3WZyPKYsPJzBBo3DrZBDlK1lVw l36qockWiIVf2X0cAtqy59QL12ufTIHLFUM0wB89Mdm2H46qVyPbCzruMf7pVf2N 2ZI/RkQviZxXo+G3F1EXoz52KvIj2ouEvshSYzegeuNL+W5J2yBaAHm6M4KmKsQ+ Q2cMjbvGix0mZyJPbKBAzLWI3zelwupVc9uh9NDBaePpDsvCVlRzfoLzMHkCAhpS Sx9XZJ8n0UhWVCh3QNVKShczEiyhUAmhcB5Le4dplmFwBwaAyRBCmZArbaJeEFrl TJqHVcjzcvYpwx8aOM5L6oOkF6JFENcjeGLGUaqDyJx6sZY69wF7aM+sGiRk/a9G 0pRADb23pilt74fcsSei7IjxOeyzLk9jbnJ5r9pKn0BBgTzktymXknDX/pwLVdlc chd6njacrH8= =QibN -END PGP SIGNATURE- ___ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]